Security hardening (v0.2.1)

- Cache backend get/set failures degrade to cache miss/uncached instead of 500 (CWE-703)
- Interpolated cache tag values length-capped before use as Redis keys (CWE-770)

Author: Berik Ashimov

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 0.2.1 — 2026-06-10
+
+Security hardening.
+
+### Changed
+
+- Cache backend `get` / `set` failures (e.g. a Redis outage) are now caught and
+  logged, degrading gracefully to a cache miss / uncached response instead of
+  surfacing a 500 (CWE-703).
+- Interpolated cache tag values are length-capped (256 chars) before use as
+  Redis key components, so a hostile path segment cannot inflate the tag-key
+  namespace (CWE-770).
+
 ## [0.2.0] - 2026-05-16
 
 Security hardening.

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hawkapi-cache"
-version = "0.2.0"
+version = "0.2.1"
 description = "Response caching for HawkAPI — decorator + middleware + Redis/memory backends + tag-based invalidation"
 readme = "README.md"
 license = { file = "LICENSE" }

src/hawkapi_cache/_decorator.py

@@ -92,7 +92,17 @@ async def wrapper(*args: Any, **kwargs: Any) -> Any:
             )
             cache_key = plugin.key_prefix + base_key
 
-            cached = await plugin.backend.get(cache_key)
+            try:
+                cached = await plugin.backend.get(cache_key)
+            except Exception as exc:
+                # Backend outage (e.g. Redis down) — fail open: treat as a
+                # cache miss and serve from the handler rather than 500.
+                logger.warning(
+                    "cache: backend get failed for key %s, treating as miss: %s",
+                    cache_key,
+                    exc,
+                )
+                cached = None
             decoded: tuple[int, list[tuple[bytes, bytes]], bytes] | None = None
             if cached is not None:
                 try:
@@ -124,12 +134,22 @@ async def wrapper(*args: Any, **kwargs: Any) -> Any:
 
             interpolated = interpolate_tags(tags, dict(request.path_params))
             raw_headers = response._build_raw_headers()  # pyright: ignore[reportPrivateUsage]
-            await plugin.backend.set(
-                cache_key,
-                encode(response.status_code, raw_headers, response.body),
-                ttl=ttl,
-                tags=interpolated,
-            )
+            try:
+                await plugin.backend.set(
+                    cache_key,
+                    encode(response.status_code, raw_headers, response.body),
+                    ttl=ttl,
+                    tags=interpolated,
+                )
+            except Exception as exc:
+                # Backend outage (e.g. Redis down) — fail open: serve the
+                # response uncached rather than 500.
+                logger.warning(
+                    "cache: backend set failed for key %s, serving uncached: %s",
+                    cache_key,
+                    exc,
+                )
+                return response
             response._headers["x-cache"] = "MISS"  # pyright: ignore[reportPrivateUsage]
             return response
 

src/hawkapi_cache/_key.py

@@ -8,6 +8,10 @@
 if TYPE_CHECKING:
     from collections.abc import Sequence
 
+# Cap interpolated path-param values so a hostile path cannot inflate the
+# Redis tag-key namespace with unbounded-length keys.
+_MAX_TAG_LEN = 256
+
 
 def make_key(
     method: str,
@@ -27,10 +31,12 @@ def make_key(
 
 def interpolate_tags(tags: Sequence[str], path_params: dict[str, Any]) -> list[str]:
     """Substitute ``{name}`` placeholders in tag strings with path-param values."""
+    # Cap each value so a hostile path segment cannot produce an unbounded tag key.
+    capped = {k: str(v)[:_MAX_TAG_LEN] for k, v in path_params.items()}
     out: list[str] = []
     for tag in tags:
         try:
-            out.append(tag.format(**path_params))
+            out.append(tag.format(**capped))
         except (KeyError, IndexError):
             # Unknown placeholder — keep tag as-is rather than failing the request.
             out.append(tag)